What is SNMP?

snmp

In the world of networking there are a lot of tools and protocols but in the monitoring area SNMP or Simple Network Management Protocol is probably the most widely used. It is old but it is one of those protocols that will stick around forever.

What is it used for?

SNMP is mainly used today to monitor devices. A device can be anything as long as it runs an snmp service (or deamon in the Linux world). This SNMP agent will respond to any SNMP request that is sent to it. So this device can be a server, a router, a switch, a firewall, etc. What the SNMP agent can do as well is send messages of its own in the event that their is something wrong with the device, like for example a power module goes down (provided you have redundant power supplies in the device of course 🙂 ). This messages of its own are called SNMP traps.

So in short: you have two types of messages in SNMP for monitoring purposes: the request (snmpwalk. snmpget) initiated by the monitoring server and the trap initiated by the client itself.

# % snmpwalk -v 1 router1.domain.local public system 
system.sysDescr.o = “Linux x64 aws” 
system.sysObjectID.o = OID: enterprises.ucdavis.ucdSnmpAgent.sunos4 
system.sys.UpTime.o = Timeticks (595637548) 68 days, 22:32:55 
system.sysContact.o = “[email protected]>”
system.sysName.o = “router1” 
system.sysLocation.o = “Our DC1” 
system.sysServices.o = 72

What ports does SNMP use?

SNMP uses UDP ports 161 (for the SNMP requests from the monitoring server to the device and UDP port 162 for traps from the device to the monitoring server. It’s important to see the difference between the 2 (the direction) as it will be 2 different firewall rules.

What are the versions of SNMP?

The most commonly known are version 1, 2c and 3. The difference between this versions is the level of security they support out of the box.

Version 1 is basically a version without any authentication, which is no longer used today unless you have an older device that only supports v1.

The 2c version improved the security a little bit using a community string to serve as a password. It also introduced the readonly or read/write property of the community. But there is still a big security issue here as most of the devices using version 2c. They have the community string ‘public’ that is configured for readonly accees only, but think about how much information can be discovered using an snmpwalk to a device.

The version 3 allowed for real authentication to happen. What I am referring to is to configure a username and a password for each user connecting.

What is a MIB?

For SNMP requests being successful we need to have an idea of which variables/metrics are available on the device. This is done via a MIB (Management Information Base). In the documentation of most of the tools you will find which MIBs the device supports. There are also some common MIBs that are used to handle the get request for the more common settings like System Description, System Location, System Contact.

Categories

Latest articles

Latest comments

All Splunk Posts